IP range based authentication

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of IP range based authentication

    IP range based authentication in ServiceNow allows you to enhance the security of your web-based application by restricting access based on IP addresses or IP address ranges. This capability helps block access from suspected malicious IPs and control who can reach your instance. It functions as an additional layer of security that complements your existing access controls.

    Show full answer Show less

    Key Features

    • Access Control by IP: Define rules to allow or deny access from specific IP addresses or ranges.
    • Prevention of Self-lockout: The system prevents you from creating rules that would lock out your own current IP address.
    • Allow Rules Override Deny Rules: If an IP address is both allowed and denied by different rules, access is permitted.
    • Handling of Forwarded Proxy Addresses: Allow and deny rules are applied across the full chain of forwarded proxy addresses.
    • 403 Error for Restricted Users: Users denied access based on IP receive a 403 error and do not consume server resources.
    • Integration with Adaptive Authentication: For more advanced IP-based authentication and restrictions, use the Adaptive Authentication pre-authentication context policy.
    • Impact on Update Sets: If IP access control is enabled on the source instance, you must add all application node IP addresses as exceptions to avoid issues with update set transfers.

    Important Considerations

    • Be cautious when setting IP restrictions inside corporate intranets because internal IP addresses may differ from external IPs due to proxies or NAT.
    • Asterisks and CIDR notation are not supported in IP rules.
    • This IP-based restriction is an additional check and does not override other access control mechanisms (e.g., VPN access controls).
    • To configure or troubleshoot, refer to instance IP information available through the ServiceNow support catalog item "My IP Information."
    • Additional configuration properties and plugins such as com.snc.ipauthenticator and glide.ip.authenticate.strict allow you to restrict instance access to specific IP ranges as part of Instance Security Hardening Settings.

    One way to secure a web-based application is to restrict access based on the IP address.

    You can block access to a specific address or range of addresses that you suspect belong to malicious individuals. The instance allows you to control access by IP address.

    Note:
    Use the Adaptive Authentication (AA) pre-authentication context policy to enforce IP based authentications and restrictions for additional capabilities. For more information, see Adaptive authentication.

    Notes and Limitations:

    • The system won't let you lock yourself out, so if you try to add a rule such that your current address would be locked out, the system warns you and refuses your insert.
    • If you're inside of a corporate intranet, be very careful about setting up your IP rules. The IP address you see on your own computer (like 10.10.10.25) generally bears no relationship to the IP address you will actually appear as out on the internet. Your company likely proxies and/or NATs your address into a predictable set of outbound addresses which you will likely need to ask your network team about.
    • A user whose access is restricted based on an access rule gets a 403 error on their browser.
    • Restricted users do not use transactions, semaphores, or count towards any server resource counts.
    • This feature does not supersede or override your existing access control rules if, for example, you're running a VPN to our data center. It's an additional check that must be met in addition to any access controls we may have set up on your PIX.
    • Allow rules always supersede deny rules. So if an address is both allowed (by one rule) and denied (by a second rule) it is, in fact, allowed.
    • Asterisks and CIDR blocks are not currently supported.
    • Regarding forwarded proxy addresses, the allow rules are applied to each address in the chain and then the deny rules are applied to each address in the chain if none of the allow rules matched.
    • IP range based authentication can effect the transfer of update sets. If IP address access control is enabled on the source instance, add the IP addresses of all application nodes supporting your instance as exceptions.
      Note:
      To find your instance IP information, Log in to ServiceNow - NOW Support, and Search for the My IP Information service catalog item.
    Note:
    To learn more about the com.snc.ipauthenticator and glide.ip.authenticate.strict properties, which restrict instance access to specific IP ranges, see the following topics in Instance Security Hardening Settings: